1package admin

3import (

4 "bytes"

5 "context"

6 "crypto/ed25519"

7 cryptorand "crypto/rand"

8 "crypto/rsa"

9 "crypto/x509"

10 "encoding/pem"

11 "errors"

12 "fmt"

13 "io/fs"

14 "log/slog"

15 "maps"

16 "os"

17 "path/filepath"

18 "slices"

19 "strings"

20 "time"

22 "github.com/mjl-/mox/config"

23 "github.com/mjl-/mox/dns"

24 "github.com/mjl-/mox/junk"

25 "github.com/mjl-/mox/mlog"

26 "github.com/mjl-/mox/mox-"

27 "github.com/mjl-/mox/mtasts"

28 "github.com/mjl-/mox/queue"

29 "github.com/mjl-/mox/smtp"

30 "github.com/mjl-/mox/store"

31)

33var pkglog = mlog.New("admin", nil)

35var ErrRequest = errors.New("bad request")

37// MakeDKIMEd25519Key returns a PEM buffer containing an ed25519 key for use

38// with DKIM.

39// selector and domain can be empty. If not, they are used in the note.

40func MakeDKIMEd25519Key(selector, domain dns.Domain) ([]byte, error) {

41 _, privKey, err := ed25519.GenerateKey(cryptorand.Reader)

42 if err != nil {

43 return nil, fmt.Errorf("generating key: %w", err)

44 }

46 pkcs8, err := x509.MarshalPKCS8PrivateKey(privKey)

47 if err != nil {

48 return nil, fmt.Errorf("marshal key: %w", err)

49 }

51 block := &pem.Block{

52 Type: "PRIVATE KEY",

53 Headers: map[string]string{

54 "Note": dkimKeyNote("ed25519", selector, domain),

55 },

56 Bytes: pkcs8,

57 }

58 b := &bytes.Buffer{}

59 if err := pem.Encode(b, block); err != nil {

60 return nil, fmt.Errorf("encoding pem: %w", err)

61 }

62 return b.Bytes(), nil

63}

65func dkimKeyNote(kind string, selector, domain dns.Domain) string {

66 s := kind + " dkim private key"

67 var zero dns.Domain

68 if selector != zero && domain != zero {

69 s += fmt.Sprintf(" for %s._domainkey.%s", selector.ASCII, domain.ASCII)

70 }

71 s += fmt.Sprintf(", generated by mox on %s", time.Now().Format(time.RFC3339))

72 return s

73}

75// MakeDKIMRSAKey returns a PEM buffer containing an rsa key for use with

76// DKIM.

77// selector and domain can be empty. If not, they are used in the note.

78func MakeDKIMRSAKey(selector, domain dns.Domain) ([]byte, error) {

79 // 2048 bits seems reasonable in 2022, 1024 is on the low side, larger

80 // keys may not fit in UDP DNS response.

81 privKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)

82 if err != nil {

83 return nil, fmt.Errorf("generating key: %w", err)

84 }

86 pkcs8, err := x509.MarshalPKCS8PrivateKey(privKey)

87 if err != nil {

88 return nil, fmt.Errorf("marshal key: %w", err)

89 }

91 block := &pem.Block{

92 Type: "PRIVATE KEY",

93 Headers: map[string]string{

94 "Note": dkimKeyNote("rsa-2048", selector, domain),

95 },

96 Bytes: pkcs8,

97 }

98 b := &bytes.Buffer{}

99 if err := pem.Encode(b, block); err != nil {

100 return nil, fmt.Errorf("encoding pem: %w", err)

101 }

102 return b.Bytes(), nil

103}

104

105// MakeAccountConfig returns a new account configuration for an email address.

106func MakeAccountConfig(addr smtp.Address) config.Account {

107 account := config.Account{

108 Domain: addr.Domain.Name(),

109 Destinations: map[string]config.Destination{

110 addr.String(): {},

111 },

112 RejectsMailbox: "Rejects",

113 JunkFilter: &config.JunkFilter{

114 Threshold: 0.95,

115 Params: junk.Params{

116 Onegrams: true,

117 MaxPower: .01,

118 TopWords: 10,

119 IgnoreWords: .1,

120 RareWords: 2,

121 },

122 },

123 NoCustomPassword: true,

124 }

125 account.AutomaticJunkFlags.Enabled = true

126 account.AutomaticJunkFlags.JunkMailboxRegexp = "^(junk|spam)"

128 account.SubjectPass.Period = 12 * time.Hour

129 return account

130}

131

132func writeFile(log mlog.Log, path string, data []byte) error {

133 os.MkdirAll(filepath.Dir(path), 0770)

134

135 f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0660)

136 if err != nil {

137 return fmt.Errorf("creating file %s: %s", path, err)

138 }

139 defer func() {

140 if f != nil {

141 err := f.Close()

142 log.Check(err, "closing file after error")

143 err = os.Remove(path)

144 log.Check(err, "removing file after error", slog.String("path", path))

145 }

146 }()

147 if _, err := f.Write(data); err != nil {

148 return fmt.Errorf("writing file %s: %s", path, err)

149 }

150 if err := f.Close(); err != nil {

151 return fmt.Errorf("close file: %v", err)

152 }

153 f = nil

154 return nil

155}

156

157// MakeDomainConfig makes a new config for a domain, creating DKIM keys, using

158// accountName for DMARC and TLS reports.

159func MakeDomainConfig(ctx context.Context, domain, hostname dns.Domain, accountName string, withMTASTS bool) (config.Domain, []string, error) {

160 log := pkglog.WithContext(ctx)

161

162 now := time.Now()

163 year := now.Format("2006")

164 timestamp := now.Format("20060102T150405")

165

166 var paths []string

167 defer func() {

168 for _, p := range paths {

169 err := os.Remove(p)

170 log.Check(err, "removing path for domain config", slog.String("path", p))

171 }

172 }()

173

174 confDKIM := config.DKIM{

175 Selectors: map[string]config.Selector{},

176 }

177

178 addSelector := func(kind, name string, privKey []byte) error {

179 record := fmt.Sprintf("%s._domainkey.%s", name, domain.ASCII)

180 keyPath := filepath.Join("dkim", fmt.Sprintf("%s.%s.%s.privatekey.pkcs8.pem", record, timestamp, kind))

181 p := mox.ConfigDynamicDirPath(keyPath)

182 if err := writeFile(log, p, privKey); err != nil {

183 return err

184 }

185 paths = append(paths, p)

186 confDKIM.Selectors[name] = config.Selector{

187 // Example from RFC has 5 day between signing and expiration. ../rfc/6376:1393

188 // Expiration is not intended as antireplay defense, but it may help. ../rfc/6376:1340

189 // Messages in the wild have been observed with 2 hours and 1 year expiration.

190 Expiration: "72h",

191 PrivateKeyFile: keyPath,

192 }

193 return nil

194 }

195

196 addRSA := func(name string) error {

197 key, err := MakeDKIMRSAKey(dns.Domain{ASCII: name}, domain)

198 if err != nil {

199 return fmt.Errorf("making dkim rsa private key: %s", err)

200 }

201 return addSelector("rsa2048", name, key)

202 }

203

204 if err := addRSA(year + "a"); err != nil {

205 return config.Domain{}, nil, err

206 }

207 if err := addRSA(year + "b"); err != nil {

208 return config.Domain{}, nil, err

209 }

210

211 // We sign with the first two. In case they are misused, the switch to the other

212 // keys is easy, just change the config. Operators should make the public key field

213 // of the misused keys empty in the DNS records to disable the misused keys.

214 confDKIM.Sign = []string{year + "a"}

215

216 confDomain := config.Domain{

217 ClientSettingsDomain: "mail." + domain.Name(),

218 LocalpartCatchallSeparator: "+",

219 DKIM: confDKIM,

220 DMARC: &config.DMARC{

221 Account: accountName,

222 Localpart: "dmarcreports",

223 Mailbox: "DMARC",

224 },

225 TLSRPT: &config.TLSRPT{

226 Account: accountName,

227 Localpart: "tlsreports",

228 Mailbox: "TLSRPT",

229 },

230 }

231

232 if withMTASTS {

233 confDomain.MTASTS = &config.MTASTS{

234 PolicyID: time.Now().UTC().Format("20060102T150405"),

235 Mode: mtasts.ModeEnforce,

236 // We start out with 24 hour, and warn in the admin interface that users should

237 // increase it to weeks once the setup works.

238 MaxAge: 24 * time.Hour,

239 MX: []string{hostname.ASCII},

240 }

241 }

242

243 rpaths := paths

244 paths = nil

245

246 return confDomain, rpaths, nil

247}

248

249// DKIMAdd adds a DKIM selector for a domain, generating a key and writing it to disk.

250func DKIMAdd(ctx context.Context, domain, selector dns.Domain, algorithm, hash string, headerRelaxed, bodyRelaxed, seal bool, headers []string, lifetime time.Duration) (rerr error) {

251 log := pkglog.WithContext(ctx)

252 defer func() {

253 if rerr != nil {

254 log.Errorx("adding dkim key", rerr,

255 slog.Any("domain", domain),

256 slog.Any("selector", selector))

257 }

258 }()

259

260 switch hash {

261 case "sha256", "sha1":

262 default:

263 return fmt.Errorf("%w: unknown hash algorithm %q", ErrRequest, hash)

264 }

265

266 var privKey []byte

267 var err error

268 var kind string

269 switch algorithm {

270 case "rsa":

271 privKey, err = MakeDKIMRSAKey(selector, domain)

272 kind = "rsa2048"

273 case "ed25519":

274 privKey, err = MakeDKIMEd25519Key(selector, domain)

275 kind = "ed25519"

276 default:

277 err = fmt.Errorf("unknown algorithm")

278 }

279 if err != nil {

280 return fmt.Errorf("%w: making dkim key: %v", ErrRequest, err)

281 }

282

283 // Only take lock now, we don't want to hold it while generating a key.

284 defer mox.Conf.DynamicLockUnlock()()

285

286 c := mox.Conf.Dynamic

287 d, ok := c.Domains[domain.Name()]

288 if !ok {

289 return fmt.Errorf("%w: domain does not exist", ErrRequest)

290 }

291

292 if _, ok := d.DKIM.Selectors[selector.Name()]; ok {

293 return fmt.Errorf("%w: selector already exists for domain", ErrRequest)

294 }

295

296 record := fmt.Sprintf("%s._domainkey.%s", selector.ASCII, domain.ASCII)

297 timestamp := time.Now().Format("20060102T150405")

298 keyPath := filepath.Join("dkim", fmt.Sprintf("%s.%s.%s.privatekey.pkcs8.pem", record, timestamp, kind))

299 p := mox.ConfigDynamicDirPath(keyPath)

300 if err := writeFile(log, p, privKey); err != nil {

301 return fmt.Errorf("writing key file: %v", err)

302 }

303 removePath := p

304 defer func() {

305 if removePath != "" {

306 err := os.Remove(removePath)

307 log.Check(err, "removing path for dkim key", slog.String("path", removePath))

308 }

309 }()

310

311 nsel := config.Selector{

312 Hash: hash,

313 Canonicalization: config.Canonicalization{

314 HeaderRelaxed: headerRelaxed,

315 BodyRelaxed: bodyRelaxed,

316 },

317 Headers: headers,

318 DontSealHeaders: !seal,

319 Expiration: lifetime.String(),

320 PrivateKeyFile: keyPath,

321 }

322

323 // All good, time to update the config.

324 nd := d

325 nd.DKIM.Selectors = map[string]config.Selector{}

326 maps.Copy(nd.DKIM.Selectors, d.DKIM.Selectors)

327 nd.DKIM.Selectors[selector.Name()] = nsel

328 nc := c

329 nc.Domains = map[string]config.Domain{}

330 maps.Copy(nc.Domains, c.Domains)

331 nc.Domains[domain.Name()] = nd

332

333 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

334 return fmt.Errorf("writing domains.conf: %w", err)

335 }

336

337 log.Info("dkim key added", slog.Any("domain", domain), slog.Any("selector", selector))

338 removePath = "" // Prevent cleanup of key file.

339 return nil

340}

341

342// DKIMRemove removes the selector from the domain, moving the key file out of the way.

343func DKIMRemove(ctx context.Context, domain, selector dns.Domain) (rerr error) {

344 log := pkglog.WithContext(ctx)

345 defer func() {

346 if rerr != nil {

347 log.Errorx("removing dkim key", rerr,

348 slog.Any("domain", domain),

349 slog.Any("selector", selector))

350 }

351 }()

352

353 defer mox.Conf.DynamicLockUnlock()()

354

355 c := mox.Conf.Dynamic

356 d, ok := c.Domains[domain.Name()]

357 if !ok {

358 return fmt.Errorf("%w: domain does not exist", ErrRequest)

359 }

360

361 sel, ok := d.DKIM.Selectors[selector.Name()]

362 if !ok {

363 return fmt.Errorf("%w: selector does not exist for domain", ErrRequest)

364 }

365

366 nsels := map[string]config.Selector{}

367 for name, sel := range d.DKIM.Selectors {

368 if name != selector.Name() {

369 nsels[name] = sel

370 }

371 }

372 nsign := make([]string, 0, len(d.DKIM.Sign))

373 for _, name := range d.DKIM.Sign {

374 if name != selector.Name() {

375 nsign = append(nsign, name)

376 }

377 }

378

379 nd := d

380 nd.DKIM = config.DKIM{Selectors: nsels, Sign: nsign}

381 nc := c

382 nc.Domains = map[string]config.Domain{}

383 maps.Copy(nc.Domains, c.Domains)

384 nc.Domains[domain.Name()] = nd

385

386 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

387 return fmt.Errorf("writing domains.conf: %w", err)

388 }

389

390 // Move away a DKIM private key to a subdirectory "old". But only if

391 // not in use by other domains.

392 usedKeyPaths := gatherUsedKeysPaths(nc)

393 moveAwayKeys(log, map[string]config.Selector{selector.Name(): sel}, usedKeyPaths)

394

395 log.Info("dkim key removed", slog.Any("domain", domain), slog.Any("selector", selector))

396 return nil

397}

398

399// DomainAdd adds the domain to the domains config, rewriting domains.conf and

400// marking it loaded.

401//

402// accountName is used for DMARC/TLS report and potentially for the postmaster address.

403// If the account does not exist, it is created with localpart. Localpart must be

404// set only if the account does not yet exist.

405func DomainAdd(ctx context.Context, disabled bool, domain dns.Domain, accountName string, localpart smtp.Localpart) (rerr error) {

406 log := pkglog.WithContext(ctx)

407 defer func() {

408 if rerr != nil {

409 log.Errorx("adding domain", rerr,

410 slog.Any("disabled", disabled),

411 slog.Any("domain", domain),

412 slog.String("account", accountName),

413 slog.Any("localpart", localpart))

414 }

415 }()

416

417 defer mox.Conf.DynamicLockUnlock()()

418

419 c := mox.Conf.Dynamic

420 if _, ok := c.Domains[domain.Name()]; ok {

421 return fmt.Errorf("%w: domain already present", ErrRequest)

422 }

423

424 // Compose new config without modifying existing data structures. If we fail, we

425 // leave no trace.

426 nc := c

427 nc.Domains = map[string]config.Domain{}

428 maps.Copy(nc.Domains, c.Domains)

429

430 // Only enable mta-sts for domain if there is a listener with mta-sts.

431 var withMTASTS bool

432 for _, l := range mox.Conf.Static.Listeners {

433 if l.MTASTSHTTPS.Enabled {

434 withMTASTS = true

435 break

436 }

437 }

438

439 confDomain, cleanupFiles, err := MakeDomainConfig(ctx, domain, mox.Conf.Static.HostnameDomain, accountName, withMTASTS)

440 if err != nil {

441 return fmt.Errorf("preparing domain config: %v", err)

442 }

443 defer func() {

444 for _, f := range cleanupFiles {

445 err := os.Remove(f)

446 log.Check(err, "cleaning up file after error", slog.String("path", f))

447 }

448 }()

449 confDomain.Disabled = disabled

450

451 if _, ok := c.Accounts[accountName]; ok && localpart != "" {

452 return fmt.Errorf("%w: account already exists (leave localpart empty when using an existing account)", ErrRequest)

453 } else if !ok && localpart == "" {

454 return fmt.Errorf("%w: account does not yet exist (specify a localpart)", ErrRequest)

455 } else if accountName == "" {

456 return fmt.Errorf("%w: account name is empty", ErrRequest)

457 } else if !ok {

458 nc.Accounts[accountName] = MakeAccountConfig(smtp.NewAddress(localpart, domain))

459 } else if accountName != mox.Conf.Static.Postmaster.Account {

460 nacc := nc.Accounts[accountName]

461 nd := map[string]config.Destination{}

462 maps.Copy(nd, nacc.Destinations)

463 pmaddr := smtp.NewAddress("postmaster", domain)

464 nd[pmaddr.String()] = config.Destination{}

465 nacc.Destinations = nd

466 nc.Accounts[accountName] = nacc

467 }

468

469 nc.Domains[domain.Name()] = confDomain

470

471 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

472 return fmt.Errorf("writing domains.conf: %w", err)

473 }

474 log.Info("domain added", slog.Any("domain", domain), slog.Bool("disabled", disabled))

475 cleanupFiles = nil // All good, don't cleanup.

476 return nil

477}

478

479// DomainRemove removes domain from the config, rewriting domains.conf.

480//

481// No accounts are removed, also not when they still reference this domain.

482func DomainRemove(ctx context.Context, domain dns.Domain) (rerr error) {

483 log := pkglog.WithContext(ctx)

484 defer func() {

485 if rerr != nil {

486 log.Errorx("removing domain", rerr, slog.Any("domain", domain))

487 }

488 }()

489

490 defer mox.Conf.DynamicLockUnlock()()

491

492 c := mox.Conf.Dynamic

493 domConf, ok := c.Domains[domain.Name()]

494 if !ok {

495 return fmt.Errorf("%w: domain does not exist", ErrRequest)

496 }

497

498 // Check that the domain isn't referenced in a TLS public key.

499 tlspubkeys, err := store.TLSPublicKeyList(ctx, "")

500 if err != nil {

501 return fmt.Errorf("%w: listing tls public keys: %s", ErrRequest, err)

502 }

503 atdom := "@" + domain.Name()

504 for _, tpk := range tlspubkeys {

505 if strings.HasSuffix(tpk.LoginAddress, atdom) {

506 return fmt.Errorf("%w: domain is still referenced in tls public key by login address %q of account %q, change or remove it first", ErrRequest, tpk.LoginAddress, tpk.Account)

507 }

508 }

509

510 // Compose new config without modifying existing data structures. If we fail, we

511 // leave no trace.

512 nc := c

513 nc.Domains = map[string]config.Domain{}

514 s := domain.Name()

515 for name, d := range c.Domains {

516 if name != s {

517 nc.Domains[name] = d

518 }

519 }

520

521 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

522 return fmt.Errorf("writing domains.conf: %w", err)

523 }

524

525 // Move away any DKIM private keys to a subdirectory "old". But only if

526 // they are not in use by other domains.

527 usedKeyPaths := gatherUsedKeysPaths(nc)

528 moveAwayKeys(log, domConf.DKIM.Selectors, usedKeyPaths)

529

530 log.Info("domain removed", slog.Any("domain", domain))

531 return nil

532}

533

534func gatherUsedKeysPaths(nc config.Dynamic) map[string]bool {

535 usedKeyPaths := map[string]bool{}

536 for _, dc := range nc.Domains {

537 for _, sel := range dc.DKIM.Selectors {

538 usedKeyPaths[filepath.Clean(sel.PrivateKeyFile)] = true

539 }

540 }

541 return usedKeyPaths

542}

543

544func moveAwayKeys(log mlog.Log, sels map[string]config.Selector, usedKeyPaths map[string]bool) {

545 for _, sel := range sels {

546 if sel.PrivateKeyFile == "" || usedKeyPaths[filepath.Clean(sel.PrivateKeyFile)] {

547 continue

548 }

549 src := mox.ConfigDirPath(sel.PrivateKeyFile)

550 dst := mox.ConfigDirPath(filepath.Join(filepath.Dir(sel.PrivateKeyFile), "old", filepath.Base(sel.PrivateKeyFile)))

551 _, err := os.Stat(dst)

552 if err == nil {

553 err = fmt.Errorf("destination already exists")

554 } else if os.IsNotExist(err) {

555 os.MkdirAll(filepath.Dir(dst), 0770)

556 err = os.Rename(src, dst)

557 }

558 if err != nil {

559 log.Errorx("renaming dkim private key file for removed domain", err, slog.String("src", src), slog.String("dst", dst))

560 }

561 }

562}

563

564// DomainSave calls xmodify with a shallow copy of the domain config. xmodify

565// can modify the config, but must clone all referencing data it changes.

566// xmodify may employ panic-based error handling. After xmodify returns, the

567// modified config is verified, saved and takes effect.

568func DomainSave(ctx context.Context, domainName string, xmodify func(config *config.Domain) error) (rerr error) {

569 log := pkglog.WithContext(ctx)

570 defer func() {

571 if rerr != nil {

572 log.Errorx("saving domain config", rerr)

573 }

574 }()

575

576 defer mox.Conf.DynamicLockUnlock()()

577

578 nc := mox.Conf.Dynamic // Shallow copy.

579 dom, ok := nc.Domains[domainName] // dom is a shallow copy.

580 if !ok {

581 return fmt.Errorf("%w: domain not present", ErrRequest)

582 }

583

584 if err := xmodify(&dom); err != nil {

585 return err

586 }

587

588 // Compose new config without modifying existing data structures. If we fail, we

589 // leave no trace.

590 nc.Domains = map[string]config.Domain{}

591 maps.Copy(nc.Domains, mox.Conf.Dynamic.Domains)

592 nc.Domains[domainName] = dom

593

594 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

595 return fmt.Errorf("writing domains.conf: %w", err)

596 }

597

598 log.Info("domain saved")

599 return nil

600}

601

602// ConfigSave calls xmodify with a shallow copy of the dynamic config. xmodify

603// can modify the config, but must clone all referencing data it changes.

604// xmodify may employ panic-based error handling. After xmodify returns, the

605// modified config is verified, saved and takes effect.

606func ConfigSave(ctx context.Context, xmodify func(config *config.Dynamic)) (rerr error) {

607 log := pkglog.WithContext(ctx)

608 defer func() {

609 if rerr != nil {

610 log.Errorx("saving config", rerr)

611 }

612 }()

613

614 defer mox.Conf.DynamicLockUnlock()()

615

616 nc := mox.Conf.Dynamic // Shallow copy.

617 xmodify(&nc)

618

619 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

620 return fmt.Errorf("writing domains.conf: %w", err)

621 }

622

623 log.Info("config saved")

624 return nil

625}

626

627// AccountAdd adds an account and an initial address and reloads the configuration.

628//

629// The new account does not have a password, so cannot yet log in. Email can be

630// delivered.

631//

632// Catchall addresses are not supported for AccountAdd. Add separately with AddressAdd.

633func AccountAdd(ctx context.Context, account, address string) (rerr error) {

634 log := pkglog.WithContext(ctx)

635 defer func() {

636 if rerr != nil {

637 log.Errorx("adding account", rerr, slog.String("account", account), slog.String("address", address))

638 }

639 }()

640

641 addr, err := smtp.ParseAddress(address)

642 if err != nil {

643 return fmt.Errorf("%w: parsing email address: %v", ErrRequest, err)

644 }

645

646 defer mox.Conf.DynamicLockUnlock()()

647

648 c := mox.Conf.Dynamic

649 if _, ok := c.Accounts[account]; ok {

650 return fmt.Errorf("%w: account already present", ErrRequest)

651 }

652

653 // Ensure the directory does not exist, e.g. due to pending account removal, or an

654 // otherwise failed cleanup.

655 accountDir := filepath.Join(mox.DataDirPath("accounts"), account)

656 if _, err := os.Stat(accountDir); err == nil {

657 return fmt.Errorf("%w: account directory %q already/still exists", ErrRequest, accountDir)

658 } else if !errors.Is(err, fs.ErrNotExist) {

659 return fmt.Errorf(`%w: stat account directory %q, expected "does not exist": %v`, ErrRequest, accountDir, err)

660 }

661

662 if err := checkAddressAvailable(addr); err != nil {

663 return fmt.Errorf("%w: address not available: %v", ErrRequest, err)

664 }

665

666 // Compose new config without modifying existing data structures. If we fail, we

667 // leave no trace.

668 nc := c

669 nc.Accounts = map[string]config.Account{}

670 maps.Copy(nc.Accounts, c.Accounts)

671 nc.Accounts[account] = MakeAccountConfig(addr)

672

673 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

674 return fmt.Errorf("writing domains.conf: %w", err)

675 }

676 log.Info("account added", slog.String("account", account), slog.Any("address", addr))

677 return nil

678}

679

680// AccountRemove removes an account and reloads the configuration.

681func AccountRemove(ctx context.Context, account string) (rerr error) {

682 log := pkglog.WithContext(ctx)

683 defer func() {

684 if rerr != nil {

685 log.Errorx("adding account", rerr, slog.String("account", account))

686 }

687 }()

688

689 // Open account now. The deferred Close MUST happen after the dynamic unlock,

690 // because during tests the consistency checker takes the same lock.

691 acc, err := store.OpenAccount(log, account, false)

692 if err != nil {

693 return fmt.Errorf("%w: open account: %v", ErrRequest, err)

694 }

695 defer func() {

696 err := acc.SessionsClear(context.Background(), log)

697 log.Check(err, "clearing account login sessions")

698

699 err = acc.Close()

700 log.Check(err, "closing account after error")

701 }()

702

703 // Fail message and webhook deliveries from the queue for this account.

704 // Must be before the dynamic lock, since failing a message delivers a DSN to the

705 // account. We fail instead of drop because an error can still occur causing us to

706 // abort.

707 nfailed, err := queue.Fail(ctx, log, queue.Filter{Account: account})

708 if nfailed > 0 {

709 log.Info("failing queued messages for removed account", slog.Int("count", nfailed))

710 }

711 if err != nil {

712 return fmt.Errorf("failing queued messages for account before removing: %v", err)

713 }

714 ncanceled, err := queue.HookCancel(ctx, log, queue.HookFilter{Account: account})

715 if ncanceled > 0 {

716 log.Info("canceling queued webhooks for removed account", slog.Int("count", ncanceled))

717 }

718 if err != nil {

719 return fmt.Errorf("canceling queued webhooks for account before removing: %v", err)

720 }

721

722 // Cleanup suppressed addresses for account.

723 suppressions, err := queue.SuppressionList(ctx, account)

724 if err != nil {

725 return fmt.Errorf("listing suppressed addresses for account: %v", err)

726 }

727 for _, sup := range suppressions {

728 addr, err := smtp.ParseAddress(sup.BaseAddress)

729 if err != nil {

730 return fmt.Errorf("parsing suppressed address %q: %v", sup.BaseAddress, err)

731 }

732 if err := queue.SuppressionRemove(ctx, account, addr.Path()); err != nil {

733 return fmt.Errorf("removing suppression %q for account: %v", sup.BaseAddress, err)

734 }

735 }

736

737 defer mox.Conf.DynamicLockUnlock()()

738

739 c := mox.Conf.Dynamic

740

741 // Compose new config without modifying existing data structures. If we fail, we

742 // leave no trace.

743 nc := c

744 nc.Accounts = map[string]config.Account{}

745 for name, a := range c.Accounts {

746 if name != account {

747 nc.Accounts[name] = a

748 }

749 }

750

751 // Write new config file.

752 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

753 return fmt.Errorf("writing domains.conf: %w", err)

754 }

755

756 // Mark files for account for removal as soon as all references have gone.

757 if err := acc.Remove(context.Background()); err != nil {

758 return fmt.Errorf("account removed from configuration file, but scheduling account directory for removal failed: %v", err)

759 }

760

761 log.Info("account marked for removal", slog.String("account", account))

762 return nil

763}

764

765// checkAddressAvailable checks that the address after canonicalization is not

766// already configured, and that its localpart does not contain a catchall

767// localpart separator.

768//

769// Must be called with config lock held.

770func checkAddressAvailable(addr smtp.Address) error {

771 dc, ok := mox.Conf.Dynamic.Domains[addr.Domain.Name()]

772 if !ok {

773 return fmt.Errorf("domain does not exist")

774 }

775 lp := mox.CanonicalLocalpart(addr.Localpart, dc)

776 if _, ok := mox.Conf.AccountDestinationsLocked[smtp.NewAddress(lp, addr.Domain).String()]; ok {

777 return fmt.Errorf("canonicalized address %s already configured", smtp.NewAddress(lp, addr.Domain))

778 }

779 for _, sep := range dc.LocalpartCatchallSeparatorsEffective {

780 if strings.Contains(string(addr.Localpart), sep) {

781 return fmt.Errorf("localpart cannot include domain catchall separator %s", sep)

782 }

783 }

784 if _, ok := dc.Aliases[lp.String()]; ok {

785 return fmt.Errorf("address in use as alias")

786 }

787 return nil

788}

789

790// AddressAdd adds an email address to an account and reloads the configuration. If

791// address starts with an @ it is treated as a catchall address for the domain.

792func AddressAdd(ctx context.Context, address, account string) (rerr error) {

793 log := pkglog.WithContext(ctx)

794 defer func() {

795 if rerr != nil {

796 log.Errorx("adding address", rerr, slog.String("address", address), slog.String("account", account))

797 }

798 }()

799

800 defer mox.Conf.DynamicLockUnlock()()

801

802 c := mox.Conf.Dynamic

803 a, ok := c.Accounts[account]

804 if !ok {

805 return fmt.Errorf("%w: account does not exist", ErrRequest)

806 }

807

808 var destAddr string

809 if strings.HasPrefix(address, "@") {

810 d, err := dns.ParseDomain(address[1:])

811 if err != nil {

812 return fmt.Errorf("%w: parsing domain: %v", ErrRequest, err)

813 }

814 dname := d.Name()

815 destAddr = "@" + dname

816 if _, ok := mox.Conf.Dynamic.Domains[dname]; !ok {

817 return fmt.Errorf("%w: domain does not exist", ErrRequest)

818 } else if _, ok := mox.Conf.AccountDestinationsLocked[destAddr]; ok {

819 return fmt.Errorf("%w: catchall address already configured for domain", ErrRequest)

820 }

821 } else {

822 addr, err := smtp.ParseAddress(address)

823 if err != nil {

824 return fmt.Errorf("%w: parsing email address: %v", ErrRequest, err)

825 }

826

827 if err := checkAddressAvailable(addr); err != nil {

828 return fmt.Errorf("%w: address not available: %v", ErrRequest, err)

829 }

830 destAddr = addr.String()

831 }

832

833 // Compose new config without modifying existing data structures. If we fail, we

834 // leave no trace.

835 nc := c

836 nc.Accounts = map[string]config.Account{}

837 maps.Copy(nc.Accounts, c.Accounts)

838 nd := map[string]config.Destination{}

839 maps.Copy(nd, a.Destinations)

840 nd[destAddr] = config.Destination{}

841 a.Destinations = nd

842 nc.Accounts[account] = a

843

844 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

845 return fmt.Errorf("writing domains.conf: %w", err)

846 }

847 log.Info("address added", slog.String("address", address), slog.String("account", account))

848 return nil

849}

850

851// AddressRemove removes an email address and reloads the configuration.

852// Address can be a catchall address for the domain of the form "@<domain>".

853//

854// If the address is member of an alias, remove it from from the alias, unless it

855// is the last member.

856func AddressRemove(ctx context.Context, address string) (rerr error) {

857 log := pkglog.WithContext(ctx)

858 defer func() {

859 if rerr != nil {

860 log.Errorx("removing address", rerr, slog.String("address", address))

861 }

862 }()

863

864 defer mox.Conf.DynamicLockUnlock()()

865

866 ad, ok := mox.Conf.AccountDestinationsLocked[address]

867 if !ok {

868 return fmt.Errorf("%w: address does not exists", ErrRequest)

869 }

870

871 // Compose new config without modifying existing data structures. If we fail, we

872 // leave no trace.

873 a, ok := mox.Conf.Dynamic.Accounts[ad.Account]

874 if !ok {

875 return fmt.Errorf("internal error: cannot find account")

876 }

877 na := a

878 na.Destinations = map[string]config.Destination{}

879 var dropped bool

880 for destAddr, d := range a.Destinations {

881 if destAddr != address {

882 na.Destinations[destAddr] = d

883 } else {

884 dropped = true

885 }

886 }

887 if !dropped {

888 return fmt.Errorf("%w: address not removed, likely a postmaster/reporting address", ErrRequest)

889 }

890

891 // Also remove matching address from FromIDLoginAddresses, composing a new slice.

892 // Refuse if address is referenced in a TLS public key.

893 var dom dns.Domain

894 var pa smtp.Address // For non-catchall addresses (most).

895 var err error

896 if strings.HasPrefix(address, "@") {

897 dom, err = dns.ParseDomain(address[1:])

898 if err != nil {

899 return fmt.Errorf("%w: parsing domain for catchall address: %v", ErrRequest, err)

900 }

901 } else {

902 pa, err = smtp.ParseAddress(address)

903 if err != nil {

904 return fmt.Errorf("%w: parsing address: %v", ErrRequest, err)

905 }

906 dom = pa.Domain

907 }

908 dc, ok := mox.Conf.Dynamic.Domains[dom.Name()]

909 if !ok {

910 return fmt.Errorf("%w: unknown domain in address %q", ErrRequest, address)

911 }

912

913 var fromIDLoginAddresses []string

914 for i, fa := range a.ParsedFromIDLoginAddresses {

915 if fa.Domain != dom {

916 // Keep for different domain.

917 fromIDLoginAddresses = append(fromIDLoginAddresses, a.FromIDLoginAddresses[i])

918 continue

919 }

920 if strings.HasPrefix(address, "@") {

921 continue

922 }

923 flp := mox.CanonicalLocalpart(fa.Localpart, dc)

924 alp := mox.CanonicalLocalpart(pa.Localpart, dc)

925 if alp != flp {

926 // Keep for different localpart.

927 fromIDLoginAddresses = append(fromIDLoginAddresses, a.FromIDLoginAddresses[i])

928 }

929 }

930 na.FromIDLoginAddresses = fromIDLoginAddresses

931

932 // Refuse if there is still a TLS public key that references this address.

933 tlspubkeys, err := store.TLSPublicKeyList(ctx, ad.Account)

934 if err != nil {

935 return fmt.Errorf("%w: listing tls public keys for account: %v", ErrRequest, err)

936 }

937 for _, tpk := range tlspubkeys {

938 a, err := smtp.ParseAddress(tpk.LoginAddress)

939 if err != nil {

940 return fmt.Errorf("%w: parsing address from tls public key: %v", ErrRequest, err)

941 }

942 lp := mox.CanonicalLocalpart(a.Localpart, dc)

943 ca := smtp.NewAddress(lp, a.Domain)

944 if xad, ok := mox.Conf.AccountDestinationsLocked[ca.String()]; ok && xad.Localpart == ad.Localpart {

945 return fmt.Errorf("%w: tls public key %q references this address as login address %q, remove the tls public key before removing the address", ErrRequest, tpk.Fingerprint, tpk.LoginAddress)

946 }

947 }

948

949 // And remove as member from aliases configured in domains.

950 domains := maps.Clone(mox.Conf.Dynamic.Domains)

951 for _, aa := range na.Aliases {

952 if aa.SubscriptionAddress != address {

953 continue

954 }

955

956 aliasAddr := fmt.Sprintf("%s@%s", aa.Alias.LocalpartStr, aa.Alias.Domain.Name())

957

958 dom, ok := mox.Conf.Dynamic.Domains[aa.Alias.Domain.Name()]

959 if !ok {

960 return fmt.Errorf("cannot find domain for alias %s", aliasAddr)

961 }

962 a, ok := dom.Aliases[aa.Alias.LocalpartStr]

963 if !ok {

964 return fmt.Errorf("cannot find alias %s", aliasAddr)

965 }

966 a.Addresses = slices.Clone(a.Addresses)

967 a.Addresses = slices.DeleteFunc(a.Addresses, func(v string) bool { return v == address })

968 if len(a.Addresses) == 0 {

969 return fmt.Errorf("address is last member of alias %s, add new members or remove alias first", aliasAddr)

970 }

971 a.ParsedAddresses = nil // Filled when parsing config.

972 dom.Aliases = maps.Clone(dom.Aliases)

973 dom.Aliases[aa.Alias.LocalpartStr] = a

974 domains[aa.Alias.Domain.Name()] = dom

975 }

976 na.Aliases = nil // Filled when parsing config.

977

978 // Check that no message in the queue is for this address. The new account config

979 // must still match this address.

980 msgs, err := queue.List(ctx, queue.Filter{Account: ad.Account}, queue.Sort{})

981 if err != nil {

982 return fmt.Errorf("listing messages in queue for account: %v", err)

983 }

984 for _, m := range msgs {

985 dc, ok := mox.Conf.Dynamic.Domains[m.SenderDomainStr]

986 if !ok {

987 return fmt.Errorf("%w: unknown sender domain %q in queued message", ErrRequest, m.SenderDomainStr)

988 }

989 lp := mox.CanonicalLocalpart(m.SenderLocalpart, dc)

990 sa := smtp.NewAddress(lp, m.SenderDomain.Domain).String()

991 if strings.HasPrefix(address, "@") {

992 // We are removing the catchall address. The queued message sender address must be

993 // configured explicitly to still belong to the account.

994 if xad, ok := mox.Conf.AccountDestinationsLocked[sa]; !ok || xad.Account != ad.Account {

995 return fmt.Errorf("%w: message delivery queue contains message with sender address %q that depends on the catchall address, drop message from queue first", ErrRequest, sa)

996 }

997 } else {

998 // We are removing a regular address. If the queued message matches the address,

999 // the catchall address must be configured for this account.

1000 if xad, ok := mox.Conf.AccountDestinationsLocked["@"+m.SenderDomainStr]; (!ok || xad.Account != ad.Account) && sa == address {

1001 return fmt.Errorf("%w: message delivery queue contains message with sender address %q and no catchall address is configured, drop message from queue first", ErrRequest, sa)

1002 }

1003 }

1004 }

1005

1006 nc := mox.Conf.Dynamic

1007 nc.Accounts = map[string]config.Account{}

1008 maps.Copy(nc.Accounts, mox.Conf.Dynamic.Accounts)

1009 nc.Accounts[ad.Account] = na

1010 nc.Domains = domains

1011

1012 if err := mox.WriteDynamicLocked(ctx, log, nc); err != nil {

1013 return fmt.Errorf("writing domains.conf: %w", err)